Accidental online leak involved more than 6,800 students; another 22K may also be affected

An in-class project on advanced search techniques led to the discovery of a major data breach at the University of Tampa (UT) in Florida earlier this month.

The breach affected more than 6,800 students who enrolled with the university last fall. It occurred after a file containing their names, Social Security Numbers and dates of birth was inadvertently made available on the Web for about eight months.

Another two files containing similar data on an additional 22,722 faculty, staff and students may also have been available online during that same period, the university said in a statement Monday. Those two files were not indexed by Google and therefore are less likely to have been viewed by others, the university said.

The school did not say why only one file was indexed by Google.

The breach followed a decision by university IT officials to create three temporary files to address a problem with university ID cards that arose after a server migration in July 2011. The file with the sensitive data was available from July 2011 to March 13, 2012, when it was discovered during an in-class search exercise. It has since been removed and all traces of it deleted from search caches.

UT will pay for credit monitoring services for the 6,818 students whose data was exposed. A university spokesman did not immediately respond to a request for comment.

Compromises stemming from inadvertent data exposure on the Web are common. Last year, the names, Social Security Numbers and other personal data on more than 3.2 million Texas residents was compromised after three files were inadvertently put on a server that was accessible over the Web. The compromise resulted in two senior Texas IT executives being fired by the State Comptroller's office.

Similarly, Yale University last August had to warn 43,000 faculty, staff and students of a breach after the File Transfer Protocol (FTP) server on which the data was stored got indexed by Google and became searchable on the Web. In that case, the data was publicly available for more than 10 months before it was discovered and taken down.